From 56677869cec16ecf79650ff3f7b7de69f57b3119 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ar=C5=ABnas=20Liuiza?= <ask@arunas.co>
Date: Thu, 13 Jun 2024 15:13:28 +0300
Subject: [PATCH 1/5] 43251 add a check for editable roles when
 creating/assigning user to blog in a multisite

---
 src/wp-admin/user-new.php | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/wp-admin/user-new.php b/src/wp-admin/user-new.php
index c24033a6edfe5..9bcb203b8081b 100644
--- a/src/wp-admin/user-new.php
+++ b/src/wp-admin/user-new.php
@@ -67,6 +67,16 @@
 		$redirect = add_query_arg( array( 'update' => 'addexisting' ), 'user-new.php' );
 	} else {
 		if ( isset( $_POST['noconfirmation'] ) && current_user_can( 'manage_network_users' ) ) {
+
+			$roles = get_editable_roles();
+			if ( ! isset( $roles[ $_REQUEST['role'] ] ) ) {
+				wp_die(
+					'<h1>' . __( 'You need a higher level of permission.' ) . '</h1>' .
+					'<p>' . __( 'Sorry, you are not allowed to assign users to this role.' ) . '</p>',
+					403
+				);
+			}
+
 			$result = add_existing_user_to_blog(
 				array(
 					'user_id' => $user_id,
@@ -218,6 +228,16 @@
 				add_filter( 'wpmu_signup_user_notification', '__return_false' );  // Disable confirmation email.
 				add_filter( 'wpmu_welcome_user_notification', '__return_false' ); // Disable welcome email.
 			}
+
+			$roles = get_editable_roles();
+			if ( ! isset( $roles[ $_REQUEST['role'] ] ) ) {
+				wp_die(
+					'<h1>' . __( 'You need a higher level of permission.' ) . '</h1>' .
+					'<p>' . __( 'Sorry, you are not allowed to assign users to this role.' ) . '</p>',
+					403
+				);
+			}
+
 			wpmu_signup_user(
 				$new_user_login,
 				$new_user_email,

From 3fdce988455c1d7d4d62501e894862998ea2ec9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ar=C5=ABnas=20Liuiza?= <ask@arunas.co>
Date: Thu, 13 Jun 2024 16:32:03 +0300
Subject: [PATCH 2/5] 43251 make the change more testable

---
 src/wp-admin/includes/ms.php | 21 +++++++++++++++++++++
 src/wp-admin/user-new.php    | 18 ++----------------
 2 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/src/wp-admin/includes/ms.php b/src/wp-admin/includes/ms.php
index 6814d1198e9e8..d00335b5ef57a 100644
--- a/src/wp-admin/includes/ms.php
+++ b/src/wp-admin/includes/ms.php
@@ -1172,3 +1172,24 @@ function get_site_screen_help_sidebar_content() {
 		'<p>' . __( '<a href="https://developer.wordpress.org/advanced-administration/multisite/admin/#network-admin-sites-screen">Documentation on Site Management</a>' ) . '</p>' .
 		'<p>' . __( '<a href="https://wordpress.org/support/forum/multisite/">Support forums</a>' ) . '</p>';
 }
+
+
+/**
+ * Makes sure the passed $role is part of editable_roles
+ *
+ * @since 6.7.0
+ *
+ * @param string $role - name of the role
+ * @return void
+ */
+
+function ensure_editable_role( $role ) {
+	$roles = get_editable_roles();
+	if ( ! isset( $roles[ $role ] ) ) {
+		wp_die(
+			'<h1>' . __( 'You need a higher level of permission.' ) . '</h1>' .
+			'<p>' . __( 'Sorry, you are not allowed to assign users to this role.' ) . '</p>',
+			403
+		);
+	}
+}
diff --git a/src/wp-admin/user-new.php b/src/wp-admin/user-new.php
index 9bcb203b8081b..d2a2e3b5c9493 100644
--- a/src/wp-admin/user-new.php
+++ b/src/wp-admin/user-new.php
@@ -68,14 +68,7 @@
 	} else {
 		if ( isset( $_POST['noconfirmation'] ) && current_user_can( 'manage_network_users' ) ) {
 
-			$roles = get_editable_roles();
-			if ( ! isset( $roles[ $_REQUEST['role'] ] ) ) {
-				wp_die(
-					'<h1>' . __( 'You need a higher level of permission.' ) . '</h1>' .
-					'<p>' . __( 'Sorry, you are not allowed to assign users to this role.' ) . '</p>',
-					403
-				);
-			}
+			ensure_editable_role( $_REQUEST['role'] );
 
 			$result = add_existing_user_to_blog(
 				array(
@@ -229,14 +222,7 @@
 				add_filter( 'wpmu_welcome_user_notification', '__return_false' ); // Disable welcome email.
 			}
 
-			$roles = get_editable_roles();
-			if ( ! isset( $roles[ $_REQUEST['role'] ] ) ) {
-				wp_die(
-					'<h1>' . __( 'You need a higher level of permission.' ) . '</h1>' .
-					'<p>' . __( 'Sorry, you are not allowed to assign users to this role.' ) . '</p>',
-					403
-				);
-			}
+			ensure_editable_role( $_REQUEST['role'] );
 
 			wpmu_signup_user(
 				$new_user_login,

From 528f3142c71bef2a500420e5276112ae5cfefd6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ar=C5=ABnas=20Liuiza?= <ask@arunas.co>
Date: Thu, 13 Jun 2024 16:32:21 +0300
Subject: [PATCH 3/5] 43251 add unit tests

---
 .../multisite/wpmuValidateUserSignup.php      | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php b/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
index f88ed0ff788ce..cd39356c7938f 100644
--- a/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
+++ b/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
@@ -220,6 +220,36 @@ public function test_signup_nonce_check_invalid() {
 
 			$this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
 		}
+
+		public function test_ensure_editable_role() {
+			$exception    = null;
+			try {
+				ensure_editable_role( 'editor' );
+			} catch ( WPDieException $e ) {
+				$exception = $e;
+			}
+			$this->assertNull( $exception );
+
+			$exception    = null;
+			try {
+				ensure_editable_role( 'non-existant' );
+			} catch ( WPDieException $e ) {
+				$exception = $e;
+			}
+			$this->assertNotNull( $exception );
+			$this->assertStringContainsString( 'Sorry, you are not allowed to assign users to this role.', $exception->getMessage() );
+
+			$exception    = null;
+			try {
+				add_filter( 'editable_roles', function( $roles ) { unset( $roles['administrator'] ); return $roles; } );
+				ensure_editable_role( 'administrator' );
+				remove_filter( 'editable_roles', function( $roles ) { unset( $roles['administrator'] ); return $roles; } );
+			} catch ( WPDieException $e ) {
+				$exception = $e;
+			}
+			$this->assertNotNull( $exception );
+			$this->assertStringContainsString( 'Sorry, you are not allowed to assign users to this role.', $exception->getMessage() );
+		}
 	}
 
 endif;

From 782fe071a89ccec88914d5d29a6f449bee0d4949 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ar=C5=ABnas=20Liuiza?= <ask@arunas.co>
Date: Thu, 13 Jun 2024 17:06:40 +0300
Subject: [PATCH 4/5] 43251 update code style

---
 .../tests/multisite/wpmuValidateUserSignup.php       | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php b/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
index cd39356c7938f..56f518aed570e 100644
--- a/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
+++ b/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
@@ -241,9 +241,17 @@ public function test_ensure_editable_role() {
 
 			$exception    = null;
 			try {
-				add_filter( 'editable_roles', function( $roles ) { unset( $roles['administrator'] ); return $roles; } );
+				add_filter( 'editable_roles', function ( $roles ) {
+					unset( $roles['administrator'] );
+					return $roles;
+				} );
+
 				ensure_editable_role( 'administrator' );
-				remove_filter( 'editable_roles', function( $roles ) { unset( $roles['administrator'] ); return $roles; } );
+
+				remove_filter( 'editable_roles', function ( $roles ) {
+					unset( $roles['administrator'] );
+					return $roles;
+				} );
 			} catch ( WPDieException $e ) {
 				$exception = $e;
 			}

From 8d3037428a90325c689a094afa5e60511a11c254 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ar=C5=ABnas=20Liuiza?= <ask@arunas.co>
Date: Thu, 13 Jun 2024 17:27:57 +0300
Subject: [PATCH 5/5] 43251 fix formatting

---
 .../multisite/wpmuValidateUserSignup.php      | 28 +++++++++++--------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php b/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
index 56f518aed570e..c5e9486a5719b 100644
--- a/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
+++ b/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
@@ -222,7 +222,7 @@ public function test_signup_nonce_check_invalid() {
 		}
 
 		public function test_ensure_editable_role() {
-			$exception    = null;
+			$exception = null;
 			try {
 				ensure_editable_role( 'editor' );
 			} catch ( WPDieException $e ) {
@@ -230,7 +230,7 @@ public function test_ensure_editable_role() {
 			}
 			$this->assertNull( $exception );
 
-			$exception    = null;
+			$exception = null;
 			try {
 				ensure_editable_role( 'non-existant' );
 			} catch ( WPDieException $e ) {
@@ -239,19 +239,25 @@ public function test_ensure_editable_role() {
 			$this->assertNotNull( $exception );
 			$this->assertStringContainsString( 'Sorry, you are not allowed to assign users to this role.', $exception->getMessage() );
 
-			$exception    = null;
+			$exception = null;
 			try {
-				add_filter( 'editable_roles', function ( $roles ) {
-					unset( $roles['administrator'] );
-					return $roles;
-				} );
+				add_filter(
+					'editable_roles',
+					function ( $roles ) {
+						unset( $roles['administrator'] );
+						return $roles;
+					}
+				);
 
 				ensure_editable_role( 'administrator' );
 
-				remove_filter( 'editable_roles', function ( $roles ) {
-					unset( $roles['administrator'] );
-					return $roles;
-				} );
+				remove_filter(
+					'editable_roles',
+					function ( $roles ) {
+						unset( $roles['administrator'] );
+						return $roles;
+					}
+				);
 			} catch ( WPDieException $e ) {
 				$exception = $e;
 			}